© 2018 Arm Limited
Nazir SArm Tech Symposia India
A Developer's Guide to Security
on Cortex-M based MCUs
2 © 2018 Arm Limited
Agenda
• Why do we need security?
• Types of attacks and security assessments
• Introduction to TrustZone
• What is physical security?
• Processor selection
• Secure software development
© 2018 Arm Limited
Why do we need security?
4 © 2018 Arm Limited
Security is not optional anymore
Billions of IoT devices Data integrity, security & privacy
Potential losses of hacks, breaches
5 © 2018 Arm Limited
Arm CryptoCell
TEE for Cortex-A
Cortex-A with
TrustZone
SecurCore
Security is an integral part of the DNA of Arm
ArmCryptoIsland
Secure Enclave
iSIM technologyKigen family
PlatformSecurity
Architecture (PSA) launched
PSA threat models
PSA Trusted Firmware
(TF-M)
Armv8-M processors:
Cortex-M23 and Cortex-M33 with Arm TrustZone
Arm security
manifesto
Mbed
Physical security enhancements
Arm IP protects againsta wide set of attacks
2004 2018…
Physical vulnerabilities
Communication vulnerabilities
Lifecycle vulnerabilities
Software vulnerabilities
6 © 2018 Arm Limited
Matching the attack with the right mitigation
Lifecycle
Communication Software
Physical
7 © 2018 Arm Limited
How much security is needed?
Software & hardware attacks• Physical access to device
– JTAG, Bus, IO Pins,• Time, money & equipment
Software attacks & lightweight hardware attacks• Buffer overflows• Interrupts• Malware
Communication attacks• Man In The Middle• Weak RNG• Code vulnerabilities
Cost/effort to attack
Cost/effort to secure
TLS/SSL
Security subsystem& enclave
TrustZone-based TEE
Secure element
*Trusted Execution Environment/ Secure Partitioning Manager
Secure IoT
© 2018 Arm Limited
Introduction to TrustZone
9 © 2018 Arm Limited
Efficient TrustZone security isolation
• Comprehensive• Secure, holistic protection across the
entire processor and system
• Simple to use• Transparent to software developer• Same programmers’ model
• Optimized for small embedded• Hardware enforced isolation• Deterministic, low-latency interrupts
Secure servicesFirmware
Secure data
Trustedview
Data
Secure firmware
Two worlds - one CPUReal-time transition*
CPU resources
Non-trusted
Trusted
Memory
Peripherals
Non-trustedview
*≤2 cycles
10 © 2018 Arm Limited
Security for all embedded applications
• Root of trust applications - IoT IP Protection
Trusted drivers
Trusted hardware
Valuable firmware
Sandboxing
Trusted drivers
Trusted hardware
Certified OS / functionality
Trusted software
Crypto TRNG*
Trusted hardware
Secure system
Securestorage
Trusted Untrusted
* True random number generator
11 © 2018 Arm Limited
Device security: secure partitioning for MCUs
• Split memory into private secure and public non-secure
• Small private footprint enables exhaustive verification
• Public code never sees keys/secrets
• Vulnerabilities on public side can’t affect private side
• Private side can verify integrity of the public side
• Public code can’t write code directly to Flash
• Private side can reliably recover device to clean state
ApplicationProtocol
SSL Library
Diagnose
WiFi Stack
BLE Stack
Device Management
Secure Storage
Crypto Keys
Secure ID
Crypto API
Firmware Update
RNG
Public Private / Secure
Cloud
© 2018 Arm Limited
Lifecycle & PhysicalSecurity
13 © 2018 Arm Limited
Lifecycle security
Wafer sort/final test
CM/OEM Customer Repair
Program unique ID,
certificates, secure
bootloader
Disable debug
Encrypted download of secure image, and app image via bootloader
Secure firmware update
Check for rollback, verify
14 © 2018 Arm Limited
Defending silicon vulnerabilities
Power and EM analysis Fault injection attacks Invasive attacks/tampering
Can we build an IP solution portfolio that can address these threats efficiently at the source?
Can we integrate the solution to these three vulnerabilities into a single IP?
15 © 2018 Arm Limited
Proliferation of the need for physical security
© 2018 Arm Limited
Processor Selection
17 © 2018 Arm Limited
Security layers
Memory protection unit(MPU)
TrustZone for Armv8-M
Physical security
Cortex-M0
Cortex-M0+
Cortex-M3
Cortex-M4
Cortex-M7
Cortex-M23
Cortex-M33
Cortex-M35P
18 © 2018 Arm Limited
Cortex-M23: Ultra low power with TrustZone
Enhanced capability▪ Increased performance▪ Multi-core system support▪ 240 interrupts▪ Hardware stack checking
Security foundation▪ System wide security with
TrustZone technology
Ultra-high efficiency▪ Flexible sleep modes▪ Extensive clock gating▪ Optional state retention
Enhanced & secure debug▪ Security aware debug▪ Simplified firmware
development▪ Embedded trace macrocell
Enhanced memory protection▪ Easy to program▪ Dedicated protection for both
secure and non-secure states
Smallest area, lowest power▪ With TrustZone, same energy
efficiency as Cortex-M0+
19 © 2018 Arm Limited
Cortex-M33: Security for diverse embedded markets
Security foundation▪ System-wide security with
TrustZone technology
Extensible compute▪ Co-processor interface for
tightly-coupled acceleration
Enhanced memory protection▪ Easy to program▪ Dedicated protection for both
secure and non-secure states
32-bit processor of choice▪ Optimal balance between
performance and power▪ 20% greater performance
than Cortex-M4▪ With TrustZone, same energy
efficiency as Cortex-M4
Enhanced & secure debug▪ Security aware debug▪ Simplified firmware
development
Digital signal control▪ Bring DSP to all developers▪ FPU offering up to 10x
performance over software
20 © 2018 Arm Limited
Cortex-M35P: Physical security for high-value applications
Highest security▪ Customizable anti-tampering
and side channel attack mitigation
Extensible compute▪ Co-processor interface for
tightly-coupled acceleration
Security and safety packages▪ Commercial, automotive▪ Provides basis for certification
Increased performance▪ 5x Flash frequency boost
thanks to instruction cache▪ 3.5x boost for DSP
applications▪ +20% integer performance
boost Enhanced & secure debug▪ Security aware debug▪ Simplified firmware
development
Dual-core lockstep▪ Partial or full lockstep▪ Security and safety
21 © 2018 Arm Limited
Total security: scalable protection for all attack types
Cortex-M23/Cortex-M33 - First Cortex-M processors with TrustZone
Cortex-M35P - A new Cortex-M processor with tamper resistance and software isolation
CryptoCell-312/P - Cryptography and lifecycle IP with or without physical security mitigation
CryptoIsland-300/P - Secure enclave IP with or without physical security mitigation
Securityis key for IoT to scale
to 1 trillion
Advanced protection
is critical as physical security attacks are getting easier and
cheaper
Designers can use
Arm’s Platform Security
Architecture to assess threats
Arm makes
security accessible
to all embedded and IoT designers
22 © 2018 Arm Limited
Arm secure foundation solutions
Complete system approach
• CorStone foundation IP (formerly SDKs):• Pre-verified, configurable system and
subsystem IP• Modifiable subsystem IP• Pre-integrated with processor and security IP
• Development tools (including FPGA/test chip boards)
• CorStone-ready software (e.g. Mbed OS)
© 2018 Arm Limited
Secure Software Development
24 © 2018 Arm Limited
PROJECT
Existing IoT applicationMixed Secure and Non-secure code
• MPU used for process protection
• Crypto keys & certificates stored in non-readable memory.
• Requires auditing of all code to protect against software vulnerabilities.
Boot & boot loader
Firmware update
Crypto library
User application
RTOSStart
Function calls
Communicationsstack Function calls
Crypto keys, certificates
25 © 2018 Arm Limited
Secure stateNon-secure state
Developing code for secure IoT applications Composing a system from Secure and Non-secure projects
• Partition project – place minimal security related code in secure project
• Non-secure project cannot access Secure resources.
• Secure project can access everything.
• Secure andNon-secure projects may implement independent time scheduling.
USER PROJECT SECURE PROJECT
Secure boot &bootloader
Firmware update
Crypto library
User application
RTOSStart
Function calls
Communicationsstack Function calls
Crypto keys, certificates
26 © 2018 Arm Limited
IoT: Secure, Easier and More Scalable with Arm
Scalable | Secure | Consistent programming | Services capable
Secure IoT Platform
Secure foundation IP
Identity Certification of secure platforms
Device management, & provisioning
Diverse partner ecosystem
Operating system
27 © 2018 Arm Limited
Get started with security on Arm
• IoT security is not optional
• Consider attack types – communication, software, life cycle and physical
• Platform Security Architecture provides a blueprint for secure design
• TrustZone provides software isolation to reduce the attack surface
Visit Arm TrustZone on Arm Community for more information to get started
2828
The Arm trademarks featured in this presentation are registered trademarks or trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere. All rights reserved. All other marks featured may be trademarks of their respective owners.
www.arm.com/company/policies/trademarks
© 2018 Arm Limited
2929
Thank YouDankeMerci谢谢ありがとうGraciasKiitos감사합니다धन्यवादתודה
© 2018 Arm Limited